Security is an issue with wireless networks. If you fail to take appropriate measures when designing a Wi-Fi network, it can be compromised. WEP (Wired Equivalent Privacy), currently the primary security measure used on wireless networks, is used to encrypt all communication. Unfortunately, it isn’t very secure and can be cracked, which is what we’re going to demonstrate in this article. We used a laptop running Linux and a wireless card for the job.

Since a WLAN is not a switched network, a hacker can use a packet sniffer to capture all data transmitted by any wireless device in the region. If WEP is enabled on the WLAN, then all packets being transmitted will be encrypted with the packet’s data payload and a secret number (the WEP key). It will then be passed through a shredding engine called RC4.

Unfortunately, the problem is that the RC4 mechanism combines the secret WEP key with a 24-bit random number called an IV (Initialization Vector) to encrypt the data. So, every encrypted packet contains an IV, and since the IV length is restricted to 24-bits only, the RC4 mechanism eventually starts picking the same values. An attacker could pick out repeating IVs by passively listening to encrypted traffic, and guess the WEP key. This, however, is fairly time consuming. Another way is by exploiting weak IVs. Some numbers in the range of 0 to 16,777,215 don’t work well with the RC4 encryption mechanism.

When these weak IVs are used, the resulting encrypted packet can be run through mathematical functions to get a part of the WEP key. By capturing a large number of packets, a hacker can acquire sufficient Weak IVs to retrieve the full key. This is what we did.

We used Airsnort (on PCQEssentials CD as airsnort-0.2.2.tar.gz) for Linux to capture packets. To use it, login as root, mount the CD and copy this file to your home directory. Run the following commands to untar it and generate the executable binary and install it.

Now, it’s time to play dirty. Put your wireless LAN card into ‘monitor mode’, which will then listen to all traffic on the Wi-Fi network, and remain invisible to others. We used a Cisco Aironet card, which can be set to monitor mode as follows.